After Swapper and F2FI Protocol, I began to wonder, how to really make a maximum security web wallet, which also had the best possible UX and used all F2FI features. So in this thread, I am giving you the solution I came up with.
Internet Identity team can take parts or the whole thing. I believe no changes on the II backend are needed and it’s all frontend work.
It uses different mechanisms for mobile and desktop. The reason is, mobile is more secure and we can use localStorage to keep safe, while we can’t do that in desktop browsers that have extensions with read/ write permissions in them. A lot do, LastPass, Grammarly, Metamask, Ad blockers, Youtube downloaders, etc.
One realization I had @ desktop mode: Internet Identity in Iframe is better than opening a new window. You can keep it on and make multiple dialogs (like transaction signing) without saving anything in localStorage during the page session. After attempting to theoretically hack this setup with various attacks → I couldn’t figure a way that will result in an exploit even with a full read/write malicious extension.
Another realization Swapping is so much better than sending stuff and hoping you get something in return. It’s optional and harder to do, but really improves the UX and can be multi standard
Internet Identity only needs to take care of selecting identity, selecting a wallet, signing, and swapping. It doesn’t need to display wallet contents. Sites can do that as it works now.
So if there isn’t something I am missing, this should bring better UX with more security.
Wallet private keys always stay inside II and are only signing function calls (transaction signing) (Every site signs with the same key pair)
Identity private keys work like II keys right now (Every site gets a different key pair)
Identity keys shouldn’t be used to store assets. They are given to the frontend so it doesn’t have to prompt the user to sign every little click, like thumbs up on a post.
The app decides what to request, identity, wallet, or both.
Opens in iframe. It stays on permanently and is hidden when not used. Becomes visible and expands for authentication or transaction signing and other F2FI protocol features. No need to refresh it, it can be used during the whole session
Extensions with full write/read access are way too powerful in browsers and we need II to be able to protect private keys and resist them.
Wallet private keys are kept in memory in anonymous function local scope and never leave it.
Identity private keys work like now
Something is used to freeze JS prototypes and prevent private key leaking.
As soon as the page loads (inside ) there is a script that runs and nothing can stop or prevent it, even extensions. It monitors for injected scripts from extensions trying to do DOM changes and replace the UI with a fake one. It monitors for requests towards webauthn trying to authenticate the malicious script. For protection - perhaps If attack is detected then a message is sent to the parent window to destroy the iframe.
Loses the keys if someone hits refresh. If single-page applications are done right, no refreshing will be needed.
Opens in a window like now or iframe
Wallet private keys are stored inside the II window in localStorage. Mobile browsers don’t have extensions with full read/write access so keys are safe this way.
Wont loose the keys if someone refreshes the page
Backup phrase can only be retrieved from the mobile version - a desktop extension can always read it.
Swapper - Swapper. Atomic swap | multi-token | multi-standard | multi-type NFT / FT
F2FI Protocol - Frontend-to-Frontend Identity Protocol (F2FI)
Identicons used: (SCHUMANNCOMBO — User Interface & Icon Design)